[lxc-users] No outgoing traffic with bridged network and public IP address from container
Andreas Laut
andreas.laut at spark5.de
Thu Sep 11 09:20:26 UTC 2014
We face this problem very often.
You can try to ping the Host IP and after that the gateway IP from
inside the container.
If that doesn't work you'll have to send arpings from inside the conainter:
arping -I [lxc-interfacename] -U 91.143.88.119 -c4 (arping from iputils
package)
After that you'll get the following output:
Sent 4 probes (4 broadcast(s))
Received 0 response(s)
0 responses are ok. Try to ping again.
Hope that helps.
Best Regards
Am 11.09.2014 um 11:05 schrieb othiman:
> Hi everyone,
>
> I already posted this to askubuntu.com
> (http://askubuntu.com/questions/522457/lxc-container-no-outgoing-traffic-with-bridged-network-and-public-ip-address),
> but I think this might be a better place to find help.
>
> I try to setup a LXC container with bridged network on ubuntu 14.04.1,
> but the outgoing traffic seems to be blocked. Ping another IP than the
> container's one is not working. Actually I tried this with a working
> container of a ubuntu 12.04 host moved to new hardware and a recent
> ubuntu 14.04, but the problem also applies to a new created ubuntu
> 14.04 container.
>
> I should mention that if I bind the IP address to an aliasing
> interface of the host directly, pinging inside and outside to the host
> is working correctly.
>
> I hope someone has an idea what I am doing wrong.
>
>
> I created a the new container with:
> lxc-create -t ubuntu -n ubuntu-test
>
>
> This is my config file:
> # Template used to create this container:
> /usr/share/lxc/templates/lxc-ubuntu
> # Parameters passed to the template: -r trusty
> # For additional config options, please look at lxc.container.conf(5)
>
> # Common configuration
> lxc.include = /usr/share/lxc/config/ubuntu.common.conf
>
> # Container specific configuration
> lxc.rootfs = /var/lib/lxc/ubuntu-test/rootfs
> lxc.mount = /var/lib/lxc/ubuntu-test/fstab
> lxc.utsname = ubuntu-test
> lxc.arch = amd64
>
> # Network configuration
> lxc.network.type = veth
> lxc.network.flags = up
> lxc.network.link = br0
> lxc.network.hwaddr = 00:16:3e:6c:7c:79
> lxc.network.ipv4=91.143.88.119/24
> lxc.network.ipv4.gateway=91.143.88.1
> lxc.network.name=eth0
>
>
> My '/etc/network/interfaces' on the host:
> auto lo
> iface lo inet loopback
>
> auto br0
> iface br0 inet static
> address 81.7.15.233
> netmask 255.255.255.0
> broadcast 81.7.15.255
> gateway 81.7.15.1
> bridge_ports eth0
> bridge_fd 0
> bridge_stp off
> bridge_waitport 0
> bridge_maxwait 0
>
>
> and on the client:
> auto lo
> iface lo inet loopback
>
> auto eth0
> iface eth0 inet static
> address 91.143.88.119
> netmask 255.255.255.0
> broadcast 91.143.88.255
> gateway 91.143.88.1
>
>
> IP forwarding is enabled:
> cat /proc/sys/net/ipv4/ip_forward
> 1
>
>
> 'iptables-save' shows
> # Generated by iptables-save v1.4.21 on Wed Sep 10 18:26:23 2014
> *mangle
> :PREROUTING ACCEPT [20035:4192692]
> :INPUT ACCEPT [7193:3225426]
> :FORWARD ACCEPT [2677:191017]
> :OUTPUT ACCEPT [381:36624]
> :POSTROUTING ACCEPT [3058:227641]
> -A POSTROUTING -o lxcbr0 -p udp -m udp --dport 68 -j CHECKSUM
> --checksum-fill
> COMMIT
> # Completed on Wed Sep 10 18:26:23 2014
> # Generated by iptables-save v1.4.21 on Wed Sep 10 18:26:23 2014
> *nat
> :PREROUTING ACCEPT [10474:819973]
> :INPUT ACCEPT [282:41644]
> :OUTPUT ACCEPT [7:537]
> :POSTROUTING ACCEPT [57:4274]
> -A POSTROUTING -s 10.0.3.0/24 ! -d 10.0.3.0/24 -j MASQUERADE
> COMMIT
> # Completed on Wed Sep 10 18:26:23 2014
> # Generated by iptables-save v1.4.21 on Wed Sep 10 18:26:23 2014
> *filter
> :INPUT ACCEPT [7193:3225426]
> :FORWARD ACCEPT [2677:191017]
> :OUTPUT ACCEPT [381:36624]
> -A INPUT -i lxcbr0 -p tcp -m tcp --dport 53 -j ACCEPT
> -A INPUT -i lxcbr0 -p udp -m udp --dport 53 -j ACCEPT
> -A INPUT -i lxcbr0 -p tcp -m tcp --dport 67 -j ACCEPT
> -A INPUT -i lxcbr0 -p udp -m udp --dport 67 -j ACCEPT
> -A FORWARD -o lxcbr0 -j ACCEPT
> -A FORWARD -i lxcbr0 -j ACCEPT
> COMMIT
> # Completed on Wed Sep 10 18:26:23 2014
>
>
> output of 'brctl show':
> bridge name bridge id STP enabled interfaces
> br0 8000.0025905700f8 no eth0
> vethRTX30H
> lxcbr0 8000.000000000000 no
>
>
> My host's 'ifconfig':
> br0 Link encap:Ethernet Hardware Adresse 00:25:90:57:00:f8
> inet Adresse:81.7.15.233 Bcast:81.7.15.255 Maske:255.255.255.0
> inet6-Adresse: fe80::225:90ff:fe57:f8/64
> Gültigkeitsbereich:Verbindung
> UP BROADCAST RUNNING MULTICAST MTU:1500 Metrik:1
> RX-Pakete:128248 Fehler:0 Verloren:15 Überläufe:0 Fenster:0
> TX-Pakete:3835 Fehler:0 Verloren:0 Überläufe:0 Träger:0
> Kollisionen:0 Sendewarteschlangenlänge:0
> RX-Bytes:11076138 (11.0 MB) TX-Bytes:343557 (343.5 KB)
>
> eth0 Link encap:Ethernet Hardware Adresse 00:25:90:57:00:f8
> UP BROADCAST RUNNING MULTICAST MTU:1500 Metrik:1
> RX-Pakete:129421 Fehler:0 Verloren:0 Überläufe:0 Fenster:0
> TX-Pakete:4046 Fehler:0 Verloren:0 Überläufe:0 Träger:0
> Kollisionen:0 Sendewarteschlangenlänge:1000
> RX-Bytes:13510902 (13.5 MB) TX-Bytes:449527 (449.5 KB)
> Interrupt:16 Speicher:fb900000-fb920000
>
> lo Link encap:Lokale Schleife
> inet Adresse:127.0.0.1 Maske:255.0.0.0
> inet6-Adresse: ::1/128 Gültigkeitsbereich:Maschine
> UP LOOPBACK RUNNING MTU:65536 Metrik:1
> RX-Pakete:2 Fehler:0 Verloren:0 Überläufe:0 Fenster:0
> TX-Pakete:2 Fehler:0 Verloren:0 Überläufe:0 Träger:0
> Kollisionen:0 Sendewarteschlangenlänge:0
> RX-Bytes:176 (176.0 B) TX-Bytes:176 (176.0 B)
>
> lxcbr0 Link encap:Ethernet Hardware Adresse ae:2c:57:c2:f0:24
> inet Adresse:10.0.3.1 Bcast:10.0.3.255 Maske:255.255.255.0
> inet6-Adresse: fe80::ac2c:57ff:fec2:f024/64
> Gültigkeitsbereich:Verbindung
> UP BROADCAST RUNNING MULTICAST MTU:1500 Metrik:1
> RX-Pakete:0 Fehler:0 Verloren:0 Überläufe:0 Fenster:0
> TX-Pakete:8 Fehler:0 Verloren:0 Überläufe:0 Träger:0
> Kollisionen:0 Sendewarteschlangenlänge:0
> RX-Bytes:0 (0.0 B) TX-Bytes:648 (648.0 B)
>
> vethRTX30H Link encap:Ethernet Hardware Adresse fe:97:2b:8e:90:8a
> inet6-Adresse: fe80::fc97:2bff:fe8e:908a/64
> Gültigkeitsbereich:Verbindung
> UP BROADCAST RUNNING MULTICAST MTU:1500 Metrik:1
> RX-Pakete:39 Fehler:0 Verloren:0 Überläufe:0 Fenster:0
> TX-Pakete:14826 Fehler:0 Verloren:0 Überläufe:0 Träger:0
> Kollisionen:0 Sendewarteschlangenlänge:1000
> RX-Bytes:3282 (3.2 KB) TX-Bytes:1466740 (1.4 MB)
>
>
> My container's 'ifconfig'
> eth0 Link encap:Ethernet Hardware Adresse 00:16:3e:6c:7c:79
> inet Adresse:91.143.88.119 Bcast:91.143.88.255
> Maske:255.255.255.0
> inet6-Adresse: fe80::216:3eff:fe6c:7c79/64
> Gültigkeitsbereich:Verbindung
> UP BROADCAST RUNNING MULTICAST MTU:1500 Metrik:1
> RX-Pakete:20082 Fehler:0 Verloren:2 Überläufe:0 Fenster:0
> TX-Pakete:40 Fehler:0 Verloren:0 Überläufe:0 Träger:0
> Kollisionen:0 Sendewarteschlangenlänge:1000
> RX-Bytes:2005479 (2.0 MB) TX-Bytes:3368 (3.3 KB)
>
> lo Link encap:Lokale Schleife
> inet Adresse:127.0.0.1 Maske:255.0.0.0
> inet6-Adresse: ::1/128 Gültigkeitsbereich:Maschine
> UP LOOPBACK RUNNING MTU:65536 Metrik:1
> RX-Pakete:0 Fehler:0 Verloren:0 Überläufe:0 Fenster:0
> TX-Pakete:0 Fehler:0 Verloren:0 Überläufe:0 Träger:0
> Kollisionen:0 Sendewarteschlangenlänge:0
> RX-Bytes:0 (0.0 B) TX-Bytes:0 (0.0 B)
>
>
> 'tail /proc/sys/net/bridge/*' on the host
> ==> /proc/sys/net/bridge/bridge-nf-call-arptables <==
> 0
>
> ==> /proc/sys/net/bridge/bridge-nf-call-ip6tables <==
> 0
>
> ==> /proc/sys/net/bridge/bridge-nf-call-iptables <==
> 0
>
> ==> /proc/sys/net/bridge/bridge-nf-filter-pppoe-tagged <==
> 0
>
> ==> /proc/sys/net/bridge/bridge-nf-filter-vlan-tagged <==
> 0
>
> ==> /proc/sys/net/bridge/bridge-nf-pass-vlan-input-dev <==
> 0
>
>
> finally 'ping 8.8.8.8' in the container:
> PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data.
> ^C
> --- 8.8.8.8 ping statistics ---
> 3 packets transmitted, 0 received, 100% packet loss, time 2015ms
>
> Best regards,
> Thomas
> _______________________________________________
> lxc-users mailing list
> lxc-users at lists.linuxcontainers.org
> http://lists.linuxcontainers.org/listinfo/lxc-users
More information about the lxc-users
mailing list